Email isn't inserted into mysql database from form
I have a newsletter for one of my sites and I can't the email posted to the mysql database.
Here is the html form code: subscribe
<h2>newsletter</h2>
<br /><input type="text" name="email" value="" id="email" />
<input type="button" name="submit" onclick="submit_it()" value="OK" />
<script type="text/javascript" charset="utf-8">
function submit_it() {
var cate_value = $('#cate').val();
var email_value = $('#email').val();
$.post("subscribe.php", { email: email_value , cate: category_value }, function(response) {
if (response!='') {alert(response)};
alert('ok');
});
}
</script>
</body>
And here is the php processing code:
$host = "localhost";
$user = "some_user";
$password = "some_pass";
$database = "news";
$server = mysql_connect($host, $user, $password);
$connection = mysql_select_db($database, $server);
function sql_quote($val开发者_运维知识库ue) {
$value = str_replace('<?','',$value);
$value = str_replace('script','',$value);
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
} else {
if ((string)$value[0] == '0') {
$value = "'" . mysql_real_escape_string($value) . "'";
}}
return $value;
}
$q = "INSERT INTO emails (email,cate) VALUES (".sql_quote($_POST['email']).",".$_POST['cate'].")";
mysql_query($q);
?>
Any help would be much appreciated because I've been fooling with this for the last 5hrs trying to make it work and I just can't figure it out plus I can't look at it anymore. My eyes hurt now. lol Thanks again.
You should definitely rewrite your code as hobodave suggests. I think something is wrong with your db configuration, though. Try this in the meantime, to execute your query:
$result = mysql_query($q);
if( $result ){
echo( 'OK' );
} else {
echo( 'Invalid query: ' . mysql_error() );
}
Your PHP sql_quote
function is very naive with it's str_replace() filtering. It is trivial to bypass this and insert unwanted data in your database.
I suggest the following rewrite of your code:
<?php
$host = "localhost";
$user = "some_user";
$password = "some_pass";
$database = "newsletter";
$server = mysql_connect($host, $user, $password);
$connection = mysql_select_db($database, $server);
function sql_quote($value)
{
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
return mysql_real_escape_string($value);
}
$email = $_POST['email'];
$category = $_POST['category'];
if (filter_var($email, FILTER_VALIDATE_EMAIL)
&& FALSE !== filter_var($category, FILTER_VALIDATE_INT)
) {
$q = sprintf("INSERT INTO emails (email, category) VALUES ('%s', '%s')",
sql_quote($email),
sql_quote($category)
);
// execute query
} else {
// Do what you want with invalid data
}
I'd also suggest the following changes:
- Disable magic_quotes_runtime so you don't need to check, thus you can do away with sql_quote entirely
- Use mysqli
Edit:
Why are you even using AJAX to process this form submission? I don't see any benefit in it. You're not doing anything special, just submitting a form.
I'd suggest removing the AJAX altogether and just using the submit button as it's intended.
If you insist though, you can at least temporarily remove it to simplify your testing.
You have a syntax error in your query try this
$email = sql_quote($_POST['email']);
$category = $_POST['category'];
$q = "INSERT INTO emails (email,category) VALUES ('$email','$category')";
You have to use data
as key for your data.
$.ajax(url: "ajax_subscribe.php",
method : 'POST',
data: { email: email_value , category: category_value },
success: function(response) {
if (response!='') {alert(response)};
alert('Thank You !');
});
精彩评论